UPDATE: ISC Detects RPC/DCOM Worm

The Internet Storm Center (ISC) reported that it has captured an RPC/DCOM worm that is capable of spreading to Windows 2000 and Windows XP systems. According to ISC, the worm uses RPC/DCOM to propagate itself, sending a self-extracting compressed file that is 6176 bytes in size, and about 11KB when uncompressed. The captured worm came in the form of a file called mblast.exe, which has an MD5 checksum of 5ae700c1dffb00cef492844a4db6cd69.

Once the worm executes on an infected system, it spawns a backdoor on port 4444 and then tries to download more worm files from a range of Trvial FTP (TFTP) servers.

The worm also adds a registry key that causes it to run with each reboot of a system. The registry key is in the SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive (under HKEY_LOCAL_MACHINE) under the value name "windows auto update".

The worm tries to propagate itself to other systems by scanning IP addresses sequentially for systems with an open port 135. ISC said it thinks the starting IP address used for scans might be randomly selected. Symantec reports that an algorithm is used to determine which addresses are scanned, and due to the algorithm the local subnet will be scanned first and then the worm will begin scanning address space outside the local subnet.

Symantec also reports that the worm will launch a distributed denial of service against Microsoft's Windows Update Web site on any date (as long as it is between the 15th and 31st of any given month) using SYN flood attacks from infected systems.

To protect your systems be sure to block ports 135 through 139 (UDP and TCP), 445 (TCP), and 593 (TCP) wherever possible, and load the patch provided by Microsoft. Also, block port 69, which is used for TFTP, and port 4444, which is used by the worm as a backdoor into affected systems. Doing so will prevent the worm from download code used to spread. However, there are reports that some Kerberos activity takes place on port 4444, so you might break Kerberos functionality if you block the ports.

Also note that while it was thought that disabling DCOM using the dcomcnfg.exe tool would help prevent attacks, this is not always the case. Windows 2000 systems with Service Pack 2 or earlier must either have have Security Rollup Pack 1 installed, or the hotfix related to Microsoft bulletin MS01-041 (be sure to read article Q298012 ) installed, otherwise disabling DCOM is not effective.

On the evening of August 12 Microsoft published a bulletin about the worm, which describes the actions that should be taken to help prevent infection and spread. The bulletin has links to technical details of the worm, instructions for setting up Windows XP's Internet Connection Firewall, instructions for establishing TCPIP filtering using built-in Windows features, links to several free firewalls, links to AV software, and links to the patches that can be obtained without using the Windows Update Web site.

If your systems are infected by the worm, follow the removal instructions below provided by eEye Digital Security. If you're uncertain whether your machines have been patched, eEye has provided a free scanning tool that can help you make that determination.

1. Delete the registry key found at: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value: "windows auto update" String: "msblast.exe" 2. Look for "msblast.exe" running in the task manager. If it is running, kill the process. 3. Delete the file "msblast.exe" found in %systemroot%\system32\msblast.exe

You can also use a free clean-up tool provided by Symantec. However, be aware that your systems might have been infected with other types of malware, such as the "sdbot" IRC bot. The tool will not clean up those problems.

Shavlik Technologies also provides a free version of its HFNetChk Lite software, which can scan your entire network for missing Microsoft patches and automate patch installation for up to 50 systems.

Tobias E. Schmidt of Winona University posted two visual basic scripts that can be used to help control the worm while patches are rolled out and to help clean up infected systems. The scripts can be inserted into computer startup and user logon sequences using Group Policy.

The number of target systems scanned for an open port 135, which the worm uses to spread, have been considerably higher since Microsoft released is security bulletin on July 16. Trends reveal that since that time the number of hosts performing scans has increased dramatically. Where before July 16 there were roughly 900 to 1100 systems scanning for port 135, as of August 11 there were over 58,900 systems performing scans, many of which are probably systems infected with the new worm.

On Monday, a few minutes after news of the new worm spread to the Bugtraq mailing list, an anonymous user with an email address from a Hotmail account posted a message to the list which contains link to another set of exploit code for the RPC/DCOM problem. The zip file contains a copy of the code, a compiled executable, as well as a macro file that can used once the exploit inserts a backdoor command shell into an infected the system. The code, called KaHT II, is capable of spreading itself to other systems rapidly.

You can also read more about the RPC/DCOM vulnerability in other articles on our Web site, and find links to Snort and its accessories list below: